Keep an eye out for VMX-XL ... you might be able to get your Meraki rep to give you a discount for the unused portion of your licence against these larger appliances coming out. My guess, pure speculation, I think it might support around 5,000 client VPN users. Most of its limits are about 10x more. You can get a feel for the XL here: https://documentation.meraki.com/MX/MX_Sizing_Information/MX_Sizing_Principles#vMX-Series_2 Tricky question about the SAML. Basically this is how it works: User connects to MX. MX redirects it to Entra with some session specific information. Entra ID sends the use a redirect back to the MX with session specific information. If you can guarantee the user will end up talking to the same MX both times during this flow, then you should be able to use a single app definition in Entra ID. Note that this will also require you to buy 4 x SSL certificates (one for each MX). A safe option would be to use the dynamic DNS name, add four apps in Entra ID, and configure "Optimal Gateway Selection" in the AnyConnect client, and let AnyConnect use whatever VPN is responding the fastest. https://community.cisco.com/t5/security-knowledge-base/anyconnect-optimal-gateway-selection-operation/ta-p/3124296 If it was me - I think I would prefer the safety of OGS.
... View more
